aws_iam_instance_profile: Restrict example perms
In this example, principal "AWS": "*" tells IAM that any user in the world can assume that role as long as they know the account ID + role name. In my testing, "Service": "ec2.amazonaws.com" is sufficiently permissive to allow the instance_profile to work without allowing global accesses.
This commit is contained in:
parent
ed3d61446b
commit
36d0e6690d
|
@ -27,7 +27,9 @@ resource "aws_iam_role" "role" {
|
|||
"Statement": [
|
||||
{
|
||||
"Action": "sts:AssumeRole",
|
||||
"Principal": {"AWS": "*"},
|
||||
"Principal": {
|
||||
"Service": "ec2.amazonaws.com"
|
||||
},
|
||||
"Effect": "Allow",
|
||||
"Sid": ""
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue